CVE-2026-49380: JetBrains TeamCity SAML Open Redirect Vulnerability
JetBrains TeamCity versions before 2026.1 contain an open redirect vulnerability in the SAML authentication plugin. An attacker could craft a malicious link that, when clicked by a user, redirects them to an attacker-controlled website after authentication. This requires user interaction and offers limited direct impact, but could be chained with phishing or credential harvesting tactics.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The SAML plugin in TeamCity before 2026.1 fails to properly validate redirect destinations, allowing an unauthenticated attacker to craft a specially formed URL that performs an open redirect after successful SAML authentication. The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) and requires a user to click a malicious link and complete authentication. The CVSS 3.1 score of 3.1 reflects the requirement for user interaction and limited confidentiality/availability impact, with only integrity slightly affected through redirection to untrusted content.
Business impact
The primary business risk is reputational and user trust. A successful attack typically involves redirecting authenticated users to phishing sites or credential harvesters, potentially capturing second-factor authentication tokens or session cookies if the redirect occurs post-login. For organizations using TeamCity as a CI/CD gating system, compromise of user accounts could lead to unauthorized pipeline modifications or supply chain risk. However, the low severity rating and high interaction barrier limit the likelihood of widespread exploitation in typical environments.
Affected systems
JetBrains TeamCity installations running versions prior to 2026.1 are affected. The vulnerability is specific to the SAML plugin component, so only deployments using SAML for single sign-on are directly vulnerable. Air-gapped or internally-only SAML implementations face lower attack surface than those accessible from the internet.
Exploitability
Exploitability is low to moderate. An attacker must craft a malicious URL and trick a user into clicking it—there is no automatic or network-based attack vector. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation in the wild at this time. The attack requires prior knowledge of the target's TeamCity instance URL and SAML configuration, making opportunistic attacks less likely than targeted spear-phishing campaigns.
Remediation
Upgrade TeamCity to version 2026.1 or later. JetBrains has addressed the open redirect validation issue in that release. For organizations unable to upgrade immediately, restrict external access to TeamCity instances to trusted networks and educate users to verify redirect destinations before interacting with authentication links, particularly those arriving via email.
Patch guidance
Review the JetBrains TeamCity release notes and advisory for version 2026.1 to confirm the SAML plugin fix is included and to identify any other improvements in that release. Test the upgrade in a non-production environment first, as SAML plugin updates can affect authentication workflows. After patching, verify that SAML redirect functionality operates normally for legitimate use cases. Document the patch date for compliance records.
Detection guidance
Monitor TeamCity access logs for unusual redirect parameters in SAML authentication URLs, particularly those containing domain names or hostnames not in your organization's approved list. Look for authentication requests followed by redirects to external domains. If possible, enable detailed SAML plugin logging to capture redirect destinations during authentication flows. Endpoint detection and response (EDR) tools should flag instances where users are redirected post-authentication to previously unseen domains, though this may generate false positives in multi-tenant or federated environments.
Why prioritize this
Although the CVSS score is low, the vulnerability should still receive attention because it enables credential theft and phishing vectors against developers and CI/CD system administrators—high-value targets in supply chain attacks. The attack requires user interaction but is relatively simple to construct. Prioritize patching for internet-facing TeamCity instances; internal-only deployments can be addressed during regular maintenance windows.
Risk score, explained
The CVSS 3.1 score of 3.1 (LOW) reflects the combination of network accessibility, high attack complexity (user interaction required), low privileges needed, and limited impact. There is no loss of confidentiality or availability, and integrity impact is limited to redirection. The low score appropriately captures that this is not an unauthenticated remote code execution or full authentication bypass; however, security teams should not interpret 'low' as 'ignore,' as open redirects in authentication flows remain tactically useful for social engineering.
Frequently asked questions
Does this vulnerability allow an attacker to bypass SAML authentication?
No. The vulnerability does not bypass or weaken SAML authentication itself. Instead, it allows an attacker to craft a link that, after a user completes legitimate SAML authentication, redirects them to an attacker-controlled site. This is useful for phishing follow-up attacks but requires the attacker to trick the user into clicking the malicious link first.
Is this vulnerability actively being exploited in the wild?
There is no evidence of active exploitation. The vulnerability does not appear on the CISA KEV list as of the most recent update. However, open redirects are common reconnaissance and social engineering tools, so organizations should not wait for proof of active exploitation before patching.
Can an attacker exploit this vulnerability without user interaction?
No. The CVSS vector confirms that user interaction (UI:R) is required. An attacker must craft a malicious URL and convince a user to click it. There is no automatic or passive exploitation path.
Should we prioritize this patch over other security updates?
Given the low CVSS score, prioritize based on your patch management policy and asset criticality. Internet-facing TeamCity instances and those used in high-security supply chains should be patched sooner; internal-only instances can be included in regular maintenance windows. Combine this patch with other JetBrains updates to minimize disruption.
This analysis is based on the CVE record as of 2026-06-17 and publicly available information from JetBrains. Verify all patch versions, release dates, and technical details against the official JetBrains security advisory before taking remediation action. SEC.co makes no warranty about the accuracy of third-party vulnerability data and recommends independent testing in your environment. Organizations should consult their own risk and compliance teams when prioritizing security patches. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45278LOWNextcloud OIDC Open Redirect Vulnerability – Patch Available
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-40961HIGHApache Airflow Open Redirect Vulnerability (CVSS 7.2)
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft
- CVE-2026-45307MEDIUMSpeakr Open Redirect Vulnerability in Post-Login Redirects
- CVE-2026-49370LOWJetBrains YouTrack Information Disclosure – fetchApp Request Vulnerability